US Senate Introduces Strong Privacy Bill

February 7, 2007: US Senators yesterday introduced a bill that better protects the privacy of citizens’ personal information in the face of data security breaches across the country.

Senators Patrick Leahy (D-Vt.) and Senator Bernie Sanders (I-Vt.) co-sponsored the Personal Data Privacy and Security Act, which was first introduced in 2005 with co-sponsorship from Arlen Specter (R-Pa.) following serious data breaches at ChoicePoint and LexisNexis.

Senator Specter, who is the Ranking Member on the panel, is co-sponsoring the bill again this Congress.

Since then breaches at several other firms and within state and federal governments have exposed millions of Americans to identity theft by leaking or losing their personal data, which included names, addresses, and sometimes Social Security numbers.

Just last week in Vermont there was a serious data breach of a computer system used by the Vermont Agency of Human Services.

The breach jeopardized the financial data of at least 69,000 Vermonters whose personal financial information was stored on the server. In other recent cases, Designer Shoes Warehouse and TJ Maxx Stores both had the personal information of their customers stolen from their computers.

According to the Privacy Rights Clearing House, since February 2005, more than 100 million records containing personal information have been subject to some sort of security breach.

“Today, Americans live in a world where their most sensitive personal information can be accessed and sold to the highest bidder, with just a few keystrokes on a computer, yet our privacy laws haven’t kept pace,” said Leahy, who has championed privacy protections in his more than three decades in the United States Senate. “This comprehensive bill not only deals with the need to provide Americans with notice when they have been victims of a data breach, but also deals with the underlying problem of lax security and lack of accountability to help prevent data breaches from occurring in the first place. Reforms like these are long overdue.”

He said the bill also can serve as a model for states in enacting laws covering state-kept data.

“This legislation is a critically important tool to protect the privacy of Americans’ personal information. Companies who collect personal information have a serious responsibility to safeguard it and this bill would make sure they do that,” said Sanders. “In addition, we need to treat the theft of personal information as the serious crime that it is. This bill sends the message loud and clear that those who engage in identity theft are going to face increased criminal penalties. I look forward to working with Senator Leahy – who has been at the forefront of the effort to protect Americans’ privacy rights — to advance this important legislation.”

Key features of the bipartisan legislation include increasing criminal penalties for identity theft involving electronic personal data and making it a crime to intentionally or willfully conceal a security breach involving personal data, giving individuals access to, and the opportunity to correct, any personal information held by commercial data brokers, requiring entities that maintain personal data to establish internal policies that protect the personal data of Americans, requiring entities that maintain personal data to give notice to individuals and law enforcement when they experience a breach involving sensitive personal data and requiring the government to establish rules protecting privacy and security when it uses information from commercial data brokers, to conduct audits of government contracts with data brokers and impose penalties on government contractors that fail to meet data privacy and security requirements.

Advocacy group Center for Democratic Technology welcomed the legislation, particularly the provision in the measure that strengthens oversight of the government’s use of commercial databases to collect information about citizens.